Flex Databases compliance checklist for EMA Guideline on computerised systems and electronic data in clinical trials
Flex Databases is always ready to support you in any challenging situation. And today, when GDPR came into effect, we are here to demonstrate that with us you are fully prepared to it in terms of our partnership. Here are some key GDPR requirements with explanation on how Flex Databases meet them:
GDPR: Article 28.2 ‘The processor shall not engage another processor without prior specific or general written authorization of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.’
Flex Databases: Only customers are the data controllers who decide which data is collected and how it is processed and stored. Flex Databases is the data processor and strictly fulfills the agreements with the customers and ensures that data is processed following the instructions by data controller. If our Clients want to put on paper the rights and obligations in terms of GDPR, we are ready to sign Data Processing Agreement to capture the roles of data processor and data controller and to formalize the measures taken to protect the data.
GDPR: Article 17 ‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.’
Flex Databases: in terms of clinical trials, there is no obligation to erase the subjects’ data as GDPR says that the right to erasure does not apply in case of scientific research purposes. If you need to delete the personal data of a dismissed employee, just write to our Helpdesk and this will be done.
GDPR: Article 32 ‘The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data.’
Flex Databases: All traffic into and out of the Flex Databases Platform is encrypted using TLS/SSL protocol that leverages either SHA-2 or AES algorithms. Access to the user interfaces is encrypted via HTTPS/SSL We provide tools for data pseudonymization and ensure strong control of the system access rights.
GDPR: ‘Transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.’
Flex Databases: our system is provided as ‘Software as a Service’ (SaaS) which is a software distribution model in which we as system supplier host applications and make them available to customers cloud-based over the Internet. Cloud-based means that storage and processing take place on servers hosted by Flex Databases in subcontracted data centers which are evaluated before contracting and reassessed periodically. We store and backup the data of our European clients in the qualified data centers located in the EU.
GDPR: Article 37 ‘The controller and the processor shall designate a data protection officer.’
Flex Databases: We have appointed Data Protection Officer who trains the staff in the GDPR and provides guidance in the related issues. In case of any data privacy concerns please contact: firstname.lastname@example.org